Skip to content

FastNetMon/bison_flow_spec_acl

BranchesTags

Repository files navigation

To enable integration you need to add following sudo configuration on server with Bison:

fastnetmon ALL=(root) NOPASSWD: /usr/sbin/rcli vif acl rule *
fastnetmon ALL=(root) NOPASSWD: /usr/sbin/rcli sh vif acl rules aclid *
fastnetmon ALL=(root) NOPASSWD: /usr/sbin/rcli sh vif acl

As Bison ACL has limited functionality we need to disable particular filtering options in FastNetMon:

sudo fcli set main flow_spec_do_not_process_ip_fragmentation_flags_field false
sudo fcli set main flow_spec_do_not_process_length_field false
sudo fcli set main flow_spec_do_not_process_tcp_flags_field false
sudo fcli commit

Then create configuration file /etc/fastnetmon_bison_flow_spec_acl.json with following content:

{
  "log_path": "/var/log/fastnetmon/fastnetmon_bison_flow_spec_acl.log",
  "ssh_host": "10.0.0.1",
  "ssh_port": 22,
  "ssh_user": "fastnetmon",
  "ssh_password": "", 
  "ssh_key_path": "/etc/bison_flow_spec_acl_ssh_private.key",
  "acl_id_ipv4": 21,
  "acl_id_ipv6": 22,
  "sudo": true
}

Then enable JSON based callback scripts on FastNetMon side:

sudo fcli set main notify_script_enabled enable
sudo fcli set main notify_script_format json
sudo fcli set main notify_script_path /opt/fastnetmon_bison_flow_spec_acl
sudo fcli commit

Please note that Bison ACLs work before NAT port translation happens.

Then you need to enable ACL for IPv4 on Bison side this way:

#
# Apply ACL to PPPoE
#
# create ACL template VIF "pppoe_acl_tpl"
acl template vif add pppoe_acl_tpl

# add ACL 21 to VIF "pppoe_acl_tpl"
vif acl add dev pppoe_acl_tpl dir ingress aclid 21 prio 10

# use VIF "pppoe_acl_tpl" for every PPPPoE subscriber
sysctl set pppoe_template_acl "pppoe_acl_tpl"

To enable IPv6 ACLs you will need to enable following command:

#
# ACL
#
vif acl create aclid 21 type ipv4_tuple deny
# drop UDP destination port 443
vif acl rule ipv4 add aclid 21 prio 10 proto 17 dport 443

vif acl create aclid 22 type ipv6_tuple deny

#
# Apply ACL to PPPoE
#
# create ACL template VIF "pppoe_acl_tpl"
acl template vif add pppoe_acl_tpl

# add ACL 21 to VIF "pppoe_acl_tpl"
vif acl add dev pppoe_acl_tpl dir ingress aclid 21 prio 10
vif acl add dev pppoe_acl_tpl dir ingress aclid 22 prio 20

# use VIF "pppoe_acl_tpl" for every PPPPoE subscriber
sysctl set pppoe_template_acl "pppoe_acl_tpl"

Please note that ACL rules will start applying after PPPoE session is re-established again. You may wait for all customers to reconnect or restart Bison entirely (be aware about downtime during this procedure)

Bison's Netflow implementation which carries Netflow happens AFTER port translation and will see only external IPs

IPv4 and IPv6 ACLs use different ACL IDs

To check that tool can connect to remote server please use following command:

echo '{"alert_scope":"host","action":"connection_check"}' | sudo bin/fastnetmon_bison_flow_spec_acl

For testing purposes you can run random commands to create rules:


echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"]}]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["tcp"]}]}' | sudo bin/fastnetmon_bison_flow_spec_acl

 echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "destination_ports": [123] }]}' | sudo bin/fastnetmon_bison_flow_spec_acl
 
 echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "source_ports": [123] }]}' | sudo bin/fastnetmon_bison_flow_spec_acl
  
echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "destination_ports": [123], "source_prefix": "10.0.0.1/32" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "destination_ports": [123], "source_prefix": "10.0.0.1/24" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "source_prefix": "10.0.0.1/24" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "destination_prefix": "10.0.0.1/24" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl
 
echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "destination_ports": [123], "source_ports":[1234],"destination_perfix": "10.0.3.0/24","source_prefix": "10.0.0.1/24" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl

About

Integration between FastNetMon Flow Spec logic and Bison router ACLs

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

Improved release with removal logic and ssh auth fix Latest
Apr 7, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages